1 /*
2 * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.pkcs11;
27
28 import java.io.IOException;
29 import java.math.BigInteger;
30 import java.nio.ByteBuffer;
31
32 import java.security.*;
33 import java.security.interfaces.*;
34 import sun.nio.ch.DirectBuffer;
35
36 import sun.security.util.*;
37 import sun.security.x509.AlgorithmId;
38
39 import sun.security.rsa.RSASignature;
40 import sun.security.rsa.RSAPadding;
41
42 import sun.security.pkcs11.wrapper.*;
43 import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
44 import sun.security.util.KeyUtil;
45
46 /**
47 * Signature implementation class. This class currently supports the
48 * following algorithms:
49 *
50 * . DSA
51 * . NONEwithDSA (RawDSA)
52 * . SHA1withDSA
53 * . NONEwithDSAinP1363Format (RawDSAinP1363Format)
54 * . SHA1withDSAinP1363Format
55 * . RSA:
56 * . MD2withRSA
57 * . MD5withRSA
58 * . SHA1withRSA
59 * . SHA224withRSA
60 * . SHA256withRSA
61 * . SHA384withRSA
62 * . SHA512withRSA
63 * . ECDSA
64 * . NONEwithECDSA
65 * . SHA1withECDSA
66 * . SHA224withECDSA
67 * . SHA256withECDSA
68 * . SHA384withECDSA
69 * . SHA512withECDSA
70 * . NONEwithECDSAinP1363Format
71 * . SHA1withECDSAinP1363Format
72 * . SHA224withECDSAinP1363Format
73 * . SHA256withECDSAinP1363Format
74 * . SHA384withECDSAinP1363Format
75 * . SHA512withECDSAinP1363Format
76 *
77 * Note that the underlying PKCS#11 token may support complete signature
78 * algorithm (e.g. CKM_DSA_SHA1, CKM_MD5_RSA_PKCS), or it may just
79 * implement the signature algorithm without hashing (e.g. CKM_DSA, CKM_PKCS),
80 * or it may only implement the raw public key operation (CKM_RSA_X_509).
81 * This class uses what is available and adds whatever extra processing
82 * is needed.
83 *
84 * @author Andreas Sterbenz
85 * @since 1.5
86 */
87 final class P11Signature extends SignatureSpi {
88
89 // token instance
90 private final Token token;
91
92 // algorithm name
93 private final String algorithm;
94
95 // name of the key algorithm, currently either RSA or DSA
96 private final String keyAlgorithm;
97
98 // mechanism id
99 private final long mechanism;
100
101 // digest algorithm OID, if we encode RSA signature ourselves
102 private final ObjectIdentifier digestOID;
103
104 // type, one of T_* below
105 private final int type;
106
107 // key instance used, if init*() was called
108 private P11Key p11Key;
109
110 // message digest, if we do the digesting ourselves
111 private final MessageDigest md;
112
113 // associated session, if any
114 private Session session;
115
116 // mode, one of M_* below
117 private int mode;
118
119 // flag indicating whether an operation is initialized
120 private boolean initialized;
121
122 // buffer, for update(byte) or DSA
123 private final byte[] buffer;
124
125 // total number of bytes processed in current operation
126 private int bytesProcessed;
127
128 // The format, to be used for DSA and ECDSA signatures.
129 // If true, the IEEE P1363 format will be used, the concatenation of
130 // r and s. If false (default), the signature will be formatted as a
131 // DER-encoded ASN.1 sequence of r and s.
132 private boolean p1363Format = false;
133
134 // constant for signing mode
135 private final static int M_SIGN = 1;
136 // constant for verification mode
137 private final static int M_VERIFY = 2;
138
139 // constant for type digesting, we do the hashing ourselves
140 private final static int T_DIGEST = 1;
141 // constant for type update, token does everything
142 private final static int T_UPDATE = 2;
143 // constant for type raw, used with RawDSA and NONEwithECDSA only
144 private final static int T_RAW = 3;
145
146 // XXX PKCS#11 v2.20 says "should not be longer than 1024 bits",
147 // but this is a little arbitrary
148 private final static int RAW_ECDSA_MAX = 128;
149
150 P11Signature(Token token, String algorithm, long mechanism)
151 throws NoSuchAlgorithmException, PKCS11Exception {
152 super();
153 this.token = token;
154 this.algorithm = algorithm;
155 this.mechanism = mechanism;
156 byte[] buffer = null;
157 ObjectIdentifier digestOID = null;
158 MessageDigest md = null;
159 switch ((int)mechanism) {
160 case (int)CKM_MD2_RSA_PKCS:
161 case (int)CKM_MD5_RSA_PKCS:
162 case (int)CKM_SHA1_RSA_PKCS:
163 case (int)CKM_SHA224_RSA_PKCS:
164 case (int)CKM_SHA256_RSA_PKCS:
165 case (int)CKM_SHA384_RSA_PKCS:
166 case (int)CKM_SHA512_RSA_PKCS:
167 keyAlgorithm = "RSA";
168 type = T_UPDATE;
169 buffer = new byte[1];
170 break;
171 case (int)CKM_DSA_SHA1:
172 keyAlgorithm = "DSA";
173 type = T_UPDATE;
174 buffer = new byte[1];
175 break;
176 case (int)CKM_ECDSA_SHA1:
177 keyAlgorithm = "EC";
178 type = T_UPDATE;
179 buffer = new byte[1];
180 break;
181 case (int)CKM_DSA:
182 keyAlgorithm = "DSA";
183 if (algorithm.equals("DSA") ||
184 algorithm.equals("DSAinP1363Format")) {
185 type = T_DIGEST;
186 md = MessageDigest.getInstance("SHA-1");
187 } else if (algorithm.equals("RawDSA") ||
188 algorithm.equals("RawDSAinP1363Format")) {
189 type = T_RAW;
190 buffer = new byte[20];
191 } else {
192 throw new ProviderException(algorithm);
193 }
194 break;
195 case (int)CKM_ECDSA:
196 keyAlgorithm = "EC";
197 if (algorithm.equals("NONEwithECDSA") ||
198 algorithm.equals("NONEwithECDSAinP1363Format")) {
199 type = T_RAW;
200 buffer = new byte[RAW_ECDSA_MAX];
201 } else {
202 String digestAlg;
203 if (algorithm.equals("SHA1withECDSA") ||
204 algorithm.equals("SHA1withECDSAinP1363Format")) {
205 digestAlg = "SHA-1";
206 } else if (algorithm.equals("SHA224withECDSA") ||
207 algorithm.equals("SHA224withECDSAinP1363Format")) {
208 digestAlg = "SHA-224";
209 } else if (algorithm.equals("SHA256withECDSA") ||
210 algorithm.equals("SHA256withECDSAinP1363Format")) {
211 digestAlg = "SHA-256";
212 } else if (algorithm.equals("SHA384withECDSA") ||
213 algorithm.equals("SHA384withECDSAinP1363Format")) {
214 digestAlg = "SHA-384";
215 } else if (algorithm.equals("SHA512withECDSA") ||
216 algorithm.equals("SHA512withECDSAinP1363Format")) {
217 digestAlg = "SHA-512";
218 } else {
219 throw new ProviderException(algorithm);
220 }
221 type = T_DIGEST;
222 md = MessageDigest.getInstance(digestAlg);
223 }
224 break;
225 case (int)CKM_RSA_PKCS:
226 case (int)CKM_RSA_X_509:
227 keyAlgorithm = "RSA";
228 type = T_DIGEST;
229 if (algorithm.equals("MD5withRSA")) {
230 md = MessageDigest.getInstance("MD5");
231 digestOID = AlgorithmId.MD5_oid;
232 } else if (algorithm.equals("SHA1withRSA")) {
233 md = MessageDigest.getInstance("SHA-1");
234 digestOID = AlgorithmId.SHA_oid;
235 } else if (algorithm.equals("MD2withRSA")) {
236 md = MessageDigest.getInstance("MD2");
237 digestOID = AlgorithmId.MD2_oid;
238 } else if (algorithm.equals("SHA224withRSA")) {
239 md = MessageDigest.getInstance("SHA-224");
240 digestOID = AlgorithmId.SHA224_oid;
241 } else if (algorithm.equals("SHA256withRSA")) {
242 md = MessageDigest.getInstance("SHA-256");
243 digestOID = AlgorithmId.SHA256_oid;
244 } else if (algorithm.equals("SHA384withRSA")) {
245 md = MessageDigest.getInstance("SHA-384");
246 digestOID = AlgorithmId.SHA384_oid;
247 } else if (algorithm.equals("SHA512withRSA")) {
248 md = MessageDigest.getInstance("SHA-512");
249 digestOID = AlgorithmId.SHA512_oid;
250 } else {
251 throw new ProviderException("Unknown signature: " + algorithm);
252 }
253 break;
254 default:
255 throw new ProviderException("Unknown mechanism: " + mechanism);
256 }
257 this.buffer = buffer;
258 this.digestOID = digestOID;
259 this.md = md;
260 if (algorithm.endsWith("inP1363Format")) {
261 this.p1363Format = true;
262 }
263 }
264
265 private void ensureInitialized() {
266 token.ensureValid();
267 if (initialized == false) {
268 initialize();
269 }
270 }
271
272 private void cancelOperation() {
273 token.ensureValid();
274 if (initialized == false) {
275 return;
276 }
277 initialized = false;
278 if ((session == null) || (token.explicitCancel == false)) {
279 return;
280 }
281 if (session.hasObjects() == false) {
282 session = token.killSession(session);
283 return;
284 }
285 // "cancel" operation by finishing it
286 // XXX make sure all this always works correctly
287 if (mode == M_SIGN) {
288 try {
289 if (type == T_UPDATE) {
290 token.p11.C_SignFinal(session.id(), 0);
291 } else {
292 byte[] digest;
293 if (type == T_DIGEST) {
294 digest = md.digest();
295 } else { // T_RAW
296 digest = buffer;
297 }
298 token.p11.C_Sign(session.id(), digest);
299 }
300 } catch (PKCS11Exception e) {
301 throw new ProviderException("cancel failed", e);
302 }
303 } else { // M_VERIFY
304 try {
305 byte[] signature;
306 if (keyAlgorithm.equals("DSA")) {
307 signature = new byte[40];
308 } else {
309 signature = new byte[(p11Key.length() + 7) >> 3];
310 }
311 if (type == T_UPDATE) {
312 token.p11.C_VerifyFinal(session.id(), signature);
313 } else {
314 byte[] digest;
315 if (type == T_DIGEST) {
316 digest = md.digest();
317 } else { // T_RAW
318 digest = buffer;
319 }
320 token.p11.C_Verify(session.id(), digest, signature);
321 }
322 } catch (PKCS11Exception e) {
323 // will fail since the signature is incorrect
324 // XXX check error code
325 }
326 }
327 }
328
329 // assumes current state is initialized == false
330 private void initialize() {
331 try {
332 if (session == null) {
333 session = token.getOpSession();
334 }
335 if (mode == M_SIGN) {
336 token.p11.C_SignInit(session.id(),
337 new CK_MECHANISM(mechanism), p11Key.keyID);
338 } else {
339 token.p11.C_VerifyInit(session.id(),
340 new CK_MECHANISM(mechanism), p11Key.keyID);
341 }
342 initialized = true;
343 } catch (PKCS11Exception e) {
344 throw new ProviderException("Initialization failed", e);
345 }
346 if (bytesProcessed != 0) {
347 bytesProcessed = 0;
348 if (md != null) {
349 md.reset();
350 }
351 }
352 }
353
354 private void checkKeySize(String keyAlgo, Key key)
355 throws InvalidKeyException {
356 CK_MECHANISM_INFO mechInfo = null;
357 try {
358 mechInfo = token.getMechanismInfo(mechanism);
359 } catch (PKCS11Exception e) {
360 // should not happen, ignore for now.
361 }
362 if (mechInfo == null) {
363 // skip the check if no native info available
364 return;
365 }
366 int minKeySize = (int) mechInfo.ulMinKeySize;
367 int maxKeySize = (int) mechInfo.ulMaxKeySize;
368 // need to override the MAX keysize for SHA1withDSA
369 if (md != null && mechanism == CKM_DSA && maxKeySize > 1024) {
370 maxKeySize = 1024;
371 }
372 int keySize = 0;
373 if (key instanceof P11Key) {
374 keySize = ((P11Key) key).length();
375 } else {
376 try {
377 if (keyAlgo.equals("RSA")) {
378 keySize = ((RSAKey) key).getModulus().bitLength();
379 } else if (keyAlgo.equals("DSA")) {
380 keySize = ((DSAKey) key).getParams().getP().bitLength();
381 } else if (keyAlgo.equals("EC")) {
382 keySize = ((ECKey) key).getParams().getCurve().getField().getFieldSize();
383 } else {
384 throw new ProviderException("Error: unsupported algo " + keyAlgo);
385 }
386 } catch (ClassCastException cce) {
387 throw new InvalidKeyException(keyAlgo +
388 " key must be the right type", cce);
389 }
390 }
391 if ((minKeySize != -1) && (keySize < minKeySize)) {
392 throw new InvalidKeyException(keyAlgo +
393 " key must be at least " + minKeySize + " bits");
394 }
395 if ((maxKeySize != -1) && (keySize > maxKeySize)) {
396 throw new InvalidKeyException(keyAlgo +
397 " key must be at most " + maxKeySize + " bits");
398 }
399 if (keyAlgo.equals("RSA")) {
400 checkRSAKeyLength(keySize);
401 }
402 }
403
404 private void checkRSAKeyLength(int len) throws InvalidKeyException {
405 RSAPadding padding;
406 try {
407 padding = RSAPadding.getInstance
408 (RSAPadding.PAD_BLOCKTYPE_1, (len + 7) >> 3);
409 } catch (InvalidAlgorithmParameterException iape) {
410 throw new InvalidKeyException(iape.getMessage());
411 }
412 int maxDataSize = padding.getMaxDataSize();
413 int encodedLength;
414 if (algorithm.equals("MD5withRSA") ||
415 algorithm.equals("MD2withRSA")) {
416 encodedLength = 34;
417 } else if (algorithm.equals("SHA1withRSA")) {
418 encodedLength = 35;
419 } else if (algorithm.equals("SHA224withRSA")) {
420 encodedLength = 47;
421 } else if (algorithm.equals("SHA256withRSA")) {
422 encodedLength = 51;
423 } else if (algorithm.equals("SHA384withRSA")) {
424 encodedLength = 67;
425 } else if (algorithm.equals("SHA512withRSA")) {
426 encodedLength = 83;
427 } else {
428 throw new ProviderException("Unknown signature algo: " + algorithm);
429 }
430 if (encodedLength > maxDataSize) {
431 throw new InvalidKeyException
432 ("Key is too short for this signature algorithm");
433 }
434 }
435
436 // see JCA spec
437 protected void engineInitVerify(PublicKey publicKey)
438 throws InvalidKeyException {
439 if (publicKey == null) {
440 throw new InvalidKeyException("Key must not be null");
441 }
442 // Need to check key length whenever a new key is set
443 if (publicKey != p11Key) {
444 checkKeySize(keyAlgorithm, publicKey);
445 }
446 cancelOperation();
447 mode = M_VERIFY;
448 p11Key = P11KeyFactory.convertKey(token, publicKey, keyAlgorithm);
449 initialize();
450 }
451
452 // see JCA spec
453 protected void engineInitSign(PrivateKey privateKey)
454 throws InvalidKeyException {
455 if (privateKey == null) {
456 throw new InvalidKeyException("Key must not be null");
457 }
458 // Need to check RSA key length whenever a new key is set
459 if (privateKey != p11Key) {
460 checkKeySize(keyAlgorithm, privateKey);
461 }
462 cancelOperation();
463 mode = M_SIGN;
464 p11Key = P11KeyFactory.convertKey(token, privateKey, keyAlgorithm);
465 initialize();
466 }
467
468 // see JCA spec
469 protected void engineUpdate(byte b) throws SignatureException {
470 ensureInitialized();
471 switch (type) {
472 case T_UPDATE:
473 buffer[0] = b;
474 engineUpdate(buffer, 0, 1);
475 break;
476 case T_DIGEST:
477 md.update(b);
478 bytesProcessed++;
479 break;
480 case T_RAW:
481 if (bytesProcessed >= buffer.length) {
482 bytesProcessed = buffer.length + 1;
483 return;
484 }
485 buffer[bytesProcessed++] = b;
486 break;
487 default:
488 throw new ProviderException("Internal error");
489 }
490 }
491
492 // see JCA spec
493 protected void engineUpdate(byte[] b, int ofs, int len)
494 throws SignatureException {
495 ensureInitialized();
496 if (len == 0) {
497 return;
498 }
499 switch (type) {
500 case T_UPDATE:
501 try {
502 if (mode == M_SIGN) {
503 token.p11.C_SignUpdate(session.id(), 0, b, ofs, len);
504 } else {
505 token.p11.C_VerifyUpdate(session.id(), 0, b, ofs, len);
506 }
507 bytesProcessed += len;
508 } catch (PKCS11Exception e) {
509 throw new ProviderException(e);
510 }
511 break;
512 case T_DIGEST:
513 md.update(b, ofs, len);
514 bytesProcessed += len;
515 break;
516 case T_RAW:
517 if (bytesProcessed + len > buffer.length) {
518 bytesProcessed = buffer.length + 1;
519 return;
520 }
521 System.arraycopy(b, ofs, buffer, bytesProcessed, len);
522 bytesProcessed += len;
523 break;
524 default:
525 throw new ProviderException("Internal error");
526 }
527 }
528
529 // see JCA spec
530 protected void engineUpdate(ByteBuffer byteBuffer) {
531 ensureInitialized();
532 int len = byteBuffer.remaining();
533 if (len <= 0) {
534 return;
535 }
536 switch (type) {
537 case T_UPDATE:
538 if (byteBuffer instanceof DirectBuffer == false) {
539 // cannot do better than default impl
540 super.engineUpdate(byteBuffer);
541 return;
542 }
543 long addr = ((DirectBuffer)byteBuffer).address();
544 int ofs = byteBuffer.position();
545 try {
546 if (mode == M_SIGN) {
547 token.p11.C_SignUpdate
548 (session.id(), addr + ofs, null, 0, len);
549 } else {
550 token.p11.C_VerifyUpdate
551 (session.id(), addr + ofs, null, 0, len);
552 }
553 bytesProcessed += len;
554 byteBuffer.position(ofs + len);
555 } catch (PKCS11Exception e) {
556 throw new ProviderException("Update failed", e);
557 }
558 break;
559 case T_DIGEST:
560 md.update(byteBuffer);
561 bytesProcessed += len;
562 break;
563 case T_RAW:
564 if (bytesProcessed + len > buffer.length) {
565 bytesProcessed = buffer.length + 1;
566 return;
567 }
568 byteBuffer.get(buffer, bytesProcessed, len);
569 bytesProcessed += len;
570 break;
571 default:
572 throw new ProviderException("Internal error");
573 }
574 }
575
576 // see JCA spec
577 protected byte[] engineSign() throws SignatureException {
578 ensureInitialized();
579 try {
580 byte[] signature;
581 if (type == T_UPDATE) {
582 int len = keyAlgorithm.equals("DSA") ? 40 : 0;
583 signature = token.p11.C_SignFinal(session.id(), len);
584 } else {
585 byte[] digest;
586 if (type == T_DIGEST) {
587 digest = md.digest();
588 } else { // T_RAW
589 if (mechanism == CKM_DSA) {
590 if (bytesProcessed != buffer.length) {
591 throw new SignatureException
592 ("Data for RawDSA must be exactly 20 bytes long");
593 }
594 digest = buffer;
595 } else { // CKM_ECDSA
596 if (bytesProcessed > buffer.length) {
597 throw new SignatureException("Data for NONEwithECDSA"
598 + " must be at most " + RAW_ECDSA_MAX + " bytes long");
599 }
600 digest = new byte[bytesProcessed];
601 System.arraycopy(buffer, 0, digest, 0, bytesProcessed);
602 }
603 }
604 if (keyAlgorithm.equals("RSA") == false) {
605 // DSA and ECDSA
606 signature = token.p11.C_Sign(session.id(), digest);
607 } else { // RSA
608 byte[] data = encodeSignature(digest);
609 if (mechanism == CKM_RSA_X_509) {
610 data = pkcs1Pad(data);
611 }
612 signature = token.p11.C_Sign(session.id(), data);
613 }
614 }
615 if (keyAlgorithm.equals("RSA")) {
616 return signature;
617 } else {
618 if (p1363Format) {
619 return signature;
620 } else {
621 return dsaToASN1(signature);
622 }
623 }
624 } catch (PKCS11Exception pe) {
625 throw new ProviderException(pe);
626 } catch (SignatureException | ProviderException e) {
627 cancelOperation();
628 throw e;
629 } finally {
630 initialized = false;
631 session = token.releaseSession(session);
632 }
633 }
634
635 // see JCA spec
636 protected boolean engineVerify(byte[] signature) throws SignatureException {
637 ensureInitialized();
638 try {
639 if (!p1363Format) {
640 if (keyAlgorithm.equals("DSA")) {
641 signature = asn1ToDSA(signature);
642 } else if (keyAlgorithm.equals("EC")) {
643 signature = asn1ToECDSA(signature);
644 }
645 }
646 if (type == T_UPDATE) {
647 token.p11.C_VerifyFinal(session.id(), signature);
648 } else {
649 byte[] digest;
650 if (type == T_DIGEST) {
651 digest = md.digest();
652 } else { // T_RAW
653 if (mechanism == CKM_DSA) {
654 if (bytesProcessed != buffer.length) {
655 throw new SignatureException
656 ("Data for RawDSA must be exactly 20 bytes long");
657 }
658 digest = buffer;
659 } else {
660 if (bytesProcessed > buffer.length) {
661 throw new SignatureException("Data for NONEwithECDSA"
662 + " must be at most " + RAW_ECDSA_MAX + " bytes long");
663 }
664 digest = new byte[bytesProcessed];
665 System.arraycopy(buffer, 0, digest, 0, bytesProcessed);
666 }
667 }
668 if (keyAlgorithm.equals("RSA") == false) {
669 // DSA and ECDSA
670 token.p11.C_Verify(session.id(), digest, signature);
671 } else { // RSA
672 byte[] data = encodeSignature(digest);
673 if (mechanism == CKM_RSA_X_509) {
674 data = pkcs1Pad(data);
675 }
676 token.p11.C_Verify(session.id(), data, signature);
677 }
678 }
679 return true;
680 } catch (PKCS11Exception pe) {
681 long errorCode = pe.getErrorCode();
682 if (errorCode == CKR_SIGNATURE_INVALID) {
683 return false;
684 }
685 if (errorCode == CKR_SIGNATURE_LEN_RANGE) {
686 // return false rather than throwing an exception
687 return false;
688 }
689 // ECF bug?
690 if (errorCode == CKR_DATA_LEN_RANGE) {
691 return false;
692 }
693 throw new ProviderException(pe);
694 } catch (SignatureException | ProviderException e) {
695 cancelOperation();
696 throw e;
697 } finally {
698 initialized = false;
699 session = token.releaseSession(session);
700 }
701 }
702
703 private byte[] pkcs1Pad(byte[] data) {
704 try {
705 int len = (p11Key.length() + 7) >> 3;
706 RSAPadding padding = RSAPadding.getInstance
707 (RSAPadding.PAD_BLOCKTYPE_1, len);
708 byte[] padded = padding.pad(data);
709 return padded;
710 } catch (GeneralSecurityException e) {
711 throw new ProviderException(e);
712 }
713 }
714
715 private byte[] encodeSignature(byte[] digest) throws SignatureException {
716 try {
717 return RSASignature.encodeSignature(digestOID, digest);
718 } catch (IOException e) {
719 throw new SignatureException("Invalid encoding", e);
720 }
721 }
722
723 // private static byte[] decodeSignature(byte[] signature) throws IOException {
724 // return RSASignature.decodeSignature(digestOID, signature);
725 // }
726
727 // For DSA and ECDSA signatures, PKCS#11 represents them as a simple
728 // byte array that contains the concatenation of r and s.
729 // For DSA, r and s are always exactly 20 bytes long.
730 // For ECDSA, r and s are of variable length, but we know that each
731 // occupies half of the array.
732 private static byte[] dsaToASN1(byte[] signature) {
733 int n = signature.length >> 1;
734 BigInteger r = new BigInteger(1, P11Util.subarray(signature, 0, n));
735 BigInteger s = new BigInteger(1, P11Util.subarray(signature, n, n));
736 try {
737 DerOutputStream outseq = new DerOutputStream(100);
738 outseq.putInteger(r);
739 outseq.putInteger(s);
740 DerValue result = new DerValue(DerValue.tag_Sequence,
741 outseq.toByteArray());
742 return result.toByteArray();
743 } catch (java.io.IOException e) {
744 throw new RuntimeException("Internal error", e);
745 }
746 }
747
748 private static byte[] asn1ToDSA(byte[] sig) throws SignatureException {
749 try {
750 // Enforce strict DER checking for signatures
751 DerInputStream in = new DerInputStream(sig, 0, sig.length, false);
752 DerValue[] values = in.getSequence(2);
753
754 // check number of components in the read sequence
755 // and trailing data
756 if ((values.length != 2) || (in.available() != 0)) {
757 throw new IOException("Invalid encoding for signature");
758 }
759
760 BigInteger r = values[0].getPositiveBigInteger();
761 BigInteger s = values[1].getPositiveBigInteger();
762
763 byte[] br = toByteArray(r, 20);
764 byte[] bs = toByteArray(s, 20);
765 if ((br == null) || (bs == null)) {
766 throw new SignatureException("Out of range value for R or S");
767 }
768 return P11Util.concat(br, bs);
769 } catch (SignatureException e) {
770 throw e;
771 } catch (Exception e) {
772 throw new SignatureException("Invalid encoding for signature", e);
773 }
774 }
775
776 private byte[] asn1ToECDSA(byte[] sig) throws SignatureException {
777 try {
778 // Enforce strict DER checking for signatures
779 DerInputStream in = new DerInputStream(sig, 0, sig.length, false);
780 DerValue[] values = in.getSequence(2);
781
782 // check number of components in the read sequence
783 // and trailing data
784 if ((values.length != 2) || (in.available() != 0)) {
785 throw new IOException("Invalid encoding for signature");
786 }
787
788 BigInteger r = values[0].getPositiveBigInteger();
789 BigInteger s = values[1].getPositiveBigInteger();
790
791 // trim leading zeroes
792 byte[] br = KeyUtil.trimZeroes(r.toByteArray());
793 byte[] bs = KeyUtil.trimZeroes(s.toByteArray());
794 int k = Math.max(br.length, bs.length);
795 // r and s each occupy half the array
796 byte[] res = new byte[k << 1];
797 System.arraycopy(br, 0, res, k - br.length, br.length);
798 System.arraycopy(bs, 0, res, res.length - bs.length, bs.length);
799 return res;
800 } catch (Exception e) {
801 throw new SignatureException("Invalid encoding for signature", e);
802 }
803 }
804
805 private static byte[] toByteArray(BigInteger bi, int len) {
806 byte[] b = bi.toByteArray();
807 int n = b.length;
808 if (n == len) {
809 return b;
810 }
811 if ((n == len + 1) && (b[0] == 0)) {
812 byte[] t = new byte[len];
813 System.arraycopy(b, 1, t, 0, len);
814 return t;
815 }
816 if (n > len) {
817 return null;
818 }
819 // must be smaller
820 byte[] t = new byte[len];
821 System.arraycopy(b, 0, t, (len - n), n);
822 return t;
823 }
824
825 // see JCA spec
826 @SuppressWarnings("deprecation")
827 protected void engineSetParameter(String param, Object value)
828 throws InvalidParameterException {
829 throw new UnsupportedOperationException("setParameter() not supported");
830 }
831
832 // see JCA spec
833 @SuppressWarnings("deprecation")
834 protected Object engineGetParameter(String param)
835 throws InvalidParameterException {
836 throw new UnsupportedOperationException("getParameter() not supported");
837 }
838 }